CISA compressed the federal patch window to 3 days this week — and the first test case arrived immediately. Ivanti Sentry appliances are under active exploitation, ShinyHunters spent two weeks inside Oracle PeopleSoft before Oracle even published mitigations, and a critical RCE chain in the LangGraph AI framework reminds us that AI supply chain risk is no longer hypothetical. Today’s brief covers the flaws that will drive customer conversations this week and the directive that will reshape patch SLAs for the next year.

In the News

Ivanti Sentry Max-Severity RCE Exploited — CISA Orders 3-Day Patch

Attackers began exploiting a maximum-severity remote code execution flaw in Ivanti Sentry mobile gateway appliances within 24 hours of public disclosure. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and, for the first time under the new Binding Operational Directive 26-04, mandated a 3-day remediation window for federal agencies.

Honeypot telemetry confirms active scanning and exploitation attempts against internet-facing Sentry instances. Ivanti Sentry serves as the gateway for mobile device management traffic in many enterprise environments — a compromised Sentry appliance gives an attacker a position between managed devices and backend infrastructure, making it a high-value initial access vector.

The speed of exploitation is notable but not surprising. Attackers have consistently compressed the time from disclosure to exploitation for perimeter appliances — Ivanti, Fortinet, Palo Alto, and Citrix products have all followed this pattern over the past 18 months. The 3-day federal mandate under BOD 26-04 reflects CISA’s recognition that the old 21-day window was operationally meaningless for flaws that are exploited within hours.

What defenders should do: Confirm Ivanti Sentry instances are patched. If patching requires a maintenance window, restrict Sentry management interfaces to internal-only access immediately. Monitor for anomalous authentication patterns and unexpected outbound connections from Sentry appliances.

ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) in University Breaches

Google Mandiant confirmed that ShinyHunters, tracked as UNC6240, exploited CVE-2026-35273 — an unpatched remote code execution vulnerability in Oracle PeopleSoft — to breach multiple universities between May 27 and June 9, 2026. Oracle did not publish an advisory or mitigation guidance until June 10, leaving a 14-day window during which every internet-facing PeopleSoft deployment was exposed with no vendor fix available.

The University of Nottingham breach alone affects more than 450,000 student records. PeopleSoft remains widely deployed across higher education and large enterprises for HR, payroll, and financial management. The combination of a zero-day with no available patch and a threat actor with ShinyHunters’ track record of large-scale data exfiltration makes this one of the more consequential ERP-targeting campaigns of 2026.

What defenders should do: Organizations running Oracle PeopleSoft must apply Oracle’s June 10 mitigations immediately. Beyond patching, conduct retrospective threat hunting covering the May 27–June 9 exploitation window. Web application firewall rules should be reviewed for PeopleSoft-specific attack patterns, and PeopleSoft application tiers should be segmented from general network access.

CISA Rewrites Federal Patching Rules — BOD 26-04 Mandates 3-Day Window

Binding Operational Directive 26-04 represents the most significant change to federal vulnerability management since BOD 22-01 established the KEV catalog in November 2021. The new directive compresses the remediation window for actively exploited critical-severity KEV flaws from 21 days to 3 days, with a 180-day rollout period for federal agencies to operationalize the compressed timeline.

CISA cited AI-driven exploit acceleration as a primary factor behind the directive. The agency’s position is clear: when attackers weaponize disclosed vulnerabilities within hours, a three-week patch window is not a mitigation — it is an acceptance of compromise. The directive introduces risk-based prioritization tiers aligned to the KEV catalog’s severity ratings, formally acknowledging that not all vulnerabilities require the same urgency.

For the private sector, BOD 26-04 sets the benchmark that boards and regulators will reference. If the federal government expects 3-day remediation for critical exploited flaws, enterprise patch SLAs of 30 or 60 days become increasingly difficult to defend in regulatory filings, cyber insurance applications, and board risk presentations.

What defenders should do: Use BOD 26-04 as the catalyst to review internal patch SLAs. Map current mean-time-to-remediate (MTTR) against the 3-day benchmark for critical KEV flaws. Invest in exposure management platforms and automated patch orchestration that make compressed timelines operationally achievable.

Today’s Deep Dive — AI Framework Supply Chain Risk Is Now Operational

A critical vulnerability chain in LangGraph, the orchestration layer for LangChain-based AI agents, demonstrates that AI supply chain risk has moved from conference-talk speculation to exploitable reality. The chain begins with SQL injection in LangGraph’s persistence layer and escalates to full remote code execution on self-hosted deployments.

LangGraph is the framework powering a significant portion of enterprise agentic AI workflows — multi-step reasoning chains, tool-calling agents, and autonomous task execution systems. Self-hosted deployments run this code on infrastructure with access to internal databases, APIs, and credentials. An RCE in the orchestration layer is functionally equivalent to an RCE in a web application framework — except that AI frameworks are deployed faster, patched less frequently, and often exempt from the same security review processes applied to traditional applications.

The vulnerability classes at play — SQL injection and insecure deserialization — are not novel. They are the same flaws that have plagued web applications for two decades. What is new is the deployment context: AI orchestration frameworks inherit every traditional application vulnerability class while operating with elevated privileges and access to sensitive data pipelines. The MITRE ATT&CK mapping is straightforward: T1190 (Exploit Public-Facing Application) for initial access, T1059 (Command and Scripting Interpreter) for execution.

Organizations deploying self-hosted AI agent infrastructure should treat these systems with the same rigor applied to any internet-facing application: software composition analysis (SCA) for dependency tracking, runtime application self-protection (RASP) or web application firewall coverage, microsegmentation to limit blast radius, and inclusion in the organization’s vulnerability management program with SLAs matching the system’s data sensitivity.

Detection Spotlight

For organizations monitoring for exploitation of Oracle PeopleSoft CVE-2026-35273, the following Splunk SPL query identifies anomalous web requests to PeopleSoft servlet endpoints that match the exploitation pattern reported by Mandiant — specifically, unexpected POST requests to PeopleSoft interaction hub endpoints with oversized payloads:

index=web sourcetype=iis OR sourcetype=apache
cs_uri_stem="*PSIGW*" OR cs_uri_stem="*psc/*" OR cs_uri_stem="*psp/*"
cs_method=POST sc_bytes>50000
| stats count by src_ip, cs_uri_stem, sc_status
| where count > 10
| sort -count

This query surfaces source IPs making repeated large POST requests to PeopleSoft gateway endpoints. Tune the sc_bytes threshold and count filter based on your environment’s baseline PeopleSoft traffic. False positives will include legitimate PeopleSoft integration traffic — correlate hits against known integration partner IP ranges. Focus investigation on the May 27–June 9 window for retrospective hunting.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.